FRT Cyber Security

awareness

PRACTICAL TRAINING
Targeted Email Phishing

By far the most common form of hacking into companies, and onto your computers, are targeted “phishing”
emails.

In a phishing attack, the hacker sends you an email that can either:

• Pretend to come from a financial or e-commerce website such as Ebay, Amazon or Paypal
• Pretend to come from people you trust like a friend, colleague, your bank, or a government agency
• Suggest that something bad will happen if you do not provide personal details right away
• Offer you a free prize or award

The emails will normally persuade you to open an attached file or click on a link to log into their fake“website,”
so you can change your password, view something, or provide details. Once you visit and log in, it’s Game Over.
They have your username and password, and can also drop malware onto your system if they want.

Many times, hackers will use details about you, such as your name, what you do, background and preferences
(things that don’t usually change over time), that they have stolen about you from a large breach e.g. Facebook
breach, so that they can try to entice you to click on a link in an email.
Hackers are hoping you’re being distracted at work/home because you’re multitasking.
So remember to pause before you click any link!

Remember: All it takes is 1 click of your mouse to give them full access to your system.

Targeted Email Phishing Mitigation

When you receive an unsolicited/unexpected email, always pause momentarily, and think about the context
around the email coming in. And ask yourself:

• Who is this email really from?!

• Why are they asking me to update my details over email?!
• Why didn’t they call me instead if it was that important?!
• Why do I need to give this information?
• Is there a safer way to provide the info?

PHISHING RED FLAGS

When you receive an unsolicited email, please pay attention to the following red flags:

“From”

• Notice the name in the “From” field, and don’t believe it 100% (The “From” field
can be spoofed / faked so pay attention). Always treat this field with suspicion!
• The email could look like it’s coming a friend, family, colleague, business contact, manager or CEO, when
it is actually from a scammer.

“To”

• Is it addressed only to you, or other people as well?

• If others, ask yourself why are they in the email?
 “Subject”

Beware of subject lines such as:

• Your Tracking Details

• “So-and-So” shared a document with you..
• Verify/Update your account
• “Wow/OMG/Check This Out!”
• Update/download XYZ software
• You have won something
Be VERY suspicious of any emails that pique your curiosity, make you scared, or make you want to act immediately
on something. These are common social engineering tactics to make you click a link.

“Salutation”

• Does the email address you by your personal name?

• Or something impersonal like “Dear Client/Customer/Hello”
• If this is a company you do business with, they should know your name! (Sometimes hackers want
their emails to reach as many recipients as possible,so their email will contain a lot of generic wording)

“Content/Body”

• Are there spelling or grammatical errors anywhere in the email?

• Is there a trusted big brand logo in the email, to trick you into lowering your guard?
• Watch for spelling and grammar mistakes as indications of fraudulent emails. Many thieves operate
internationally, and their emails have many spelling or grammatical mistakes.
• Also, no reputable company sends emails with spelling/grammar mistakes!

Embedded Link

This is the most important thing to pay attention to!

Never click on a link in an unsolicited email before checking:
• Is there a link/button inside the email they are asking you to click?
• Where does the link explicitly say it is going?

Now hover your mouse over the link, BUT DON’T CLICK THE LINK! You will now see the REAL final link destination!
It will be either as a popup message in your email client e.g. Outlook Or you can see it in the bottom left status bar
of your browser. This is where the link is actually taking you!
If the link in the email, and the link that pops up when you hover your mouse do NOT match, be VERY suspicious!
• Be aware of slight variations in the website spelling e.g. disney.com vs d1sney.com
• Also follow the address link in the email all the way to the first “/” (forward slash). The website domain
name you see before the “/” is the real, final link destination e.g. www.blah.com-blahblah.evil.com/...
• If the link has a shortened URL link address, that is also a red flag for unsolicited emails pretending to come
from reputable companies e.g. Google, or your bank - e.g. http://ow.ly/blahblah or http://bit.ly/blahblah.

Never respond to login/password reset requests sent via email that you did not initiate or expect!
• Treat any email that directs you to click on a link with caution
• Pay attention to the URL address of the website you are typing in. Malicious websites may use a variation
in spelling or a different domain e.g. “.com” vs “.net”
• If you have any concerns, you really should personally phone the company or colleague or go to their
desk / office and confirm the purpose of the email in question.
Business email compromise (BEC)
Their goal is to persuade you to complete a wire transfer – usually to an international bank.
These emails will try to entice you based on urgent language, and your relationship with the email sender.

Hackers will specifically target people conducting certain kinds of high-value transactions such as people working in
Payroll or Accounts Payable who conduct international wire transfers.

Hackers will send the email from a high-level executive’s email inbox, such as the CFO or CEO. Or they will
email from a look-alike company website domain that is one or two letters different from your actual company
domain.

BEC Email Mitigation

By far the easiest way to stop BEC fraud altogether is to make a two-minute call and verify the
transaction/invoice/payment request with the supposed sender.

ABSOLUTELY AVOID VERIFYING ANY LARGE WIRE TRANSFERS VIA EMAIL!

ALWAYS carefully verify large invoices and payments:
• Never pay unless you know the bill is for things that were actually ordered and delivered
• Limit the number of people who are authorized to place orders and pay invoices
• Make sure major spending can’t be triggered by an unexpected call, email, or invoice
• Having two people independently authorize LARGE wire transfers is the way to go!
o It's possible for one person to be tricked, but harder for two.
• Ideally you want a confirmation call from your bank whenever there is a large wire transfer

You can try this quick email phishing simulation created by Google. They present you with 8 very realistic emails, and
you might be surprised by how sneaky these phishing emails can be. Good luck!

https://phishingquiz.withgoogle.com/

Google also has created an online game called Interland: Reality River, in which you have to answer certain questions
to cross and avoid the phishers.

https://beinternetawesome.withgoogle.com/en_us/interland/landing/reality-river

If you receive a shortened URL (in an email for instance), you can copy/paste the URL into this website and it will
show you the full-length website URL, so you see where it really points to.

https://unshorten.link/
Macro Malware

Put simply, macros are a type of programming code that are embedded inside Microsoft Office
.XLS/.DOC/.PPT files, that can perform certain functions to make your job much easier.

Having said that, macros are also great for hackers trying to deliver evil code to you, because they can be
executed with a single mouse-click inside Microsoft Office!

Because the vast majority of Microsoft Office files found on the Internet are malicious, if you receive a Microsoft
Office file from the Internet or an untrusted source, there is a very good chance it will contain a malicious macro.

Macro Malware Mitigation

Macros are usually disabled these days by default (in your Protected View settings), which turns off most editing
functions inside the file. This is good! We want this:
• It protects us from files downloaded from the Internet
• Or files received via Outlook from an untrusted sender

When you’re at work, only enable macros inside files stored in trusted locations. If you know the file is from a
trustworthy source, and you want to edit, save, or print the file, you can exit Protected View for that one particular
file.
Messenger Apps and Smishing (SMS phishing)

SMS texts and Messenger apps are just as easy to use for social engineering as email. It’s just another vehicle for
hackers to spread their evil malware to you!

Being able to message people using various software and apps is so common these days:
• SMS
• iMessage
• WhatsApp
• Facebook Messenger
• Skype
• Viber
• Telegram
• LinkedIn

Most people access the Internet via their mobile phones now
• Most emails are opened first on a mobile device
• Due to the smaller screen space on mobile devices, it is harder to see where a presented link will actually
navigate to if clicked
• It is harder to see the real destination of hyperlinks in emails/messenger apps/SMS
• As a result, people are THREE TIMES more likely to click on a link in an SMS text/Messenger app from
a spoofed number, compared to on a computer

Messengers and Smishing Mitigation

• Treat every link presented in an SMS text with intense suspicion
• Don’t trust anything that arrives via text/messenger/email, even if it’s from your friend, family
member or colleague!
o If you ever receive an unexpected message from a friend/colleague, call them directly and
ask if that was them

No government agency, bank, or legitimate business will ever request personal information via SMS text!
• Never click on any links in unsolicited texts/messages
• Also, never respond to them: Responding verifies that your phone number is active, and they might start
bombarding you with malicious messages now as a result
Vishing (Voice phishing)

• Vishing = social engineering using voice phone calls

• Because of Voice-Over-IP (VOIP) technology today, it’s pretty simple to spoof phone numbers
• Scammers are using vishing to trick you into handing over your money and/or personal and sensitive
information by impersonating:
o Law enforcement
o Government agencies
o Big name brands
o Fake tech support companies

Vishing Mitigation
NEVER TRUST YOUR CALLER ID ON YOUR PHONE.

Be prepared for vishers to have your name, address, phone number and last 4 of your Social Security Number
or credit card on hand (these may have been scraped from previous big company breaches).

Never give your personal info over the phone when you receive an unsolicited call.
Even if the caller ID looks good, tell them you will hang up and call them back. (But don’t call the number they
themselves are providing to you! That number cannot betrusted either). Look up the institution/business number
online and call that number instead

Remember: Gift cards are for gifts, not payments!

Anyone who calls you and demands payment by gift card (+ asks for PIN) is 100% a scammer!
If you accidentally hand over the gift card details/payment info to the fraudster, call the card issuer (Amazon,
iTunes etc.) ASAP and tell them to cancel the card. You may be able to block the scam in time.

Finally, there are also certain apps (such as MalwareByes, Hiya, Robokiller, Truecaller, and SMS Shield), that check
incoming calls and texts against a big database filled with scammer numbers, and if they notice a match, the app
will block the call or SMS text from coming through.
Ransomware

Ransomware is essentially digital hostage taking.

The malware will usually drop onto your system via a malicious link, attachments, or by visiting ahacked benign
website. The malware will then encrypt ALL of your important files, making them inaccessible to you - we are
talking pictures, documents, pdfs, emails. All of it.

Finally, hackers will not decrypt your files unless you pay them a ransom amount, usually in cryptocurrency.
Important: If you do end up paying them, they usually come back and encrypt your files again, and ask for even
more money, as they know you’re susceptible to blackmail now.
Lately they have also started stealing your data out of your network, to ‘add insult to injury’, and they will threaten
to release all your sensitive data onto the Internet unless you pay up!

Ransomware is often targeted to:

• Local city government
• Hospitals
• Universities
• Expensive business systems

Ransomware hackers target networks that they know are willing to pay, because the network cannot afford to
be offline for days or weeks.

Ransomware Mitigation
• Install antivirus software (it should include Machine Learning and Behavioral Analytics)
• Make sure your operating systems and all your software are up to date with patches!
• Create two backup copies of all of your important and sensitive files:
o One can be local, the other in the Internet Cloud (One Drive, Drop Box, Google Drive etc.)
o Disconnect the local drive from your computer when you are finished backing up your data,
so as to prevent ransomware from reaching these files
CryptoJacking/CryptoMining

Cryptomining is the use of computing power to perform very difficult mathematical computations, and being
rewarded for that work afterwards with cryptocurrency.
Cryptojacking is a theft of your unused computing power to secretly perform that same work.
The hackers want to monetize your computer or mobile phone while it sits idle, instead of buying their own
hardware!
So cryptojacking is basically cryptomining, without your explicit permission, with your own computer.

The cryptomining script or code is secretly embedded in:

• Website ads
• Webpages of sites you visit
• Google Chrome extensions and other browser plugins
• Files you download from the Internet or via email
• Google Play Android apps disguised as games, utilities, educational apps etc.
• Public company websites/servers with a lot of computing horsepower
• The code can run in a browser on ANY device!

CryptoJacking/CryptoMining Mitigation
The best defense against malicious cryptomining scripts is to use script and ad blockers in your browsers (this
is addressed in the Browser Security section).

If you use Google Chrome, the browser’s Task Manager will show, per tab, how much computing power is being
used, so you can determine the website that may have loaded a cryptominer onto your system. Use the Task
Manager to see which website tab is the one using all the CPU power, and close the browser to stop the
cryptomining script from running.
Stay vigilant for any signs your system may be running slowly after visiting a certain website, clicking on an ad,
opening a file, etc. (although there are certainly other reasons why your machine may slow down).
Search Engine Optimization

Keep in mind that a large number of benign websites are regularly hacked, malicious code is up-loaded onto
them, and then they appear in Google search results, as a way to get you to visit them.
As a result, one or more Google search results in the first few pages may be malicious for the followingsearches:
• Breaking news
• Natural event
• Celebrity death
• Political news
• “Free” music, software, screensavers, games etc.
• Popular trending topics

Search Engine Optimization Mitigation

• First of all, stay away from untrustworthy websites, especially at work! It’s not worth the risk and bad
attention you will receive, if you download something malicious onto your company network.
• Whenever possible, stay away from sites that supposedly offer “free” music, software and multimedia
(i.e. pictures, videos). These links are more likely to contain malware instead.
• Use bookmarks whenever possible, so you don’t need to rely on search results. Or instead of searching for
a website, e.g. Amazon, type “Amazon.com” yourself into the browser.
• Always be aware of the context on a Google search result link. It is important to scrutinize all Google
search results and ensure that any websites that host the information you seek are relevant websites
for that type of content
• If you search for a website on Google, click the top search result: one that is not an ad!

After clicking a link in the search results it is important to always verify that you have landed on the website domain
you expected. Double check the URL - Are there any weird characters, symbols? Verify that you are on the correct
domain before entering your login credentials.
Before typing in any personal data e.g. username and password, ensure that you have a secure connection between
your computer and the website. You will know this because the website address at the top left of the browser
window should begin with https (with an “s”)
Fake AntiVirus

Fake antivirus software tricks you into purchasing and installing malicious software, which will pose as genuine-
looking antivirus programs, but then grab your credit card information so they can “fix” your apparent virus
problem.

They may show you a persistent pop-up window, warning that your machine is seriously infected with viruses, and
offer to save you, by removing the viruses with their own software. But if you click anywhere in the pop-up window
to close the message, the link instead goes to a fake website and your computer becomes infected with real
malware.

The scammers may even call you by phone, and deceitfully inform you that your computer is showing “signs of
viruses.” They will then offer to “help” by directing you to a website to remove the viruses, but by following their
instructions, you are basically granting full remote-control access of your computer to them!

The good news is that most of these fake antivirus programs are usually non-destructive, meaning your
files are not at risk of being destroyed by the malware. Instead they will keep pushing you into paying
money to fix the made-up virus problem

Fake Antivirus Mitigation

Never respond to these fake antivirus alerts!

Because your company manages your antivirus software for you while at work, if you ever receive a suspicious
message about viruses on your system, please contact your system administrator.

If you see these types of pop-ups at home, treat them with a high level of suspicion, and have your machine scanned
for malware (or wiped and rebuilt from scratch if you wish to be prudent).
Smartphones & Mobile Apps

Our smartphones, such as the Apple iPhone and the various flavors of Google Android, are extremely intimate
devices that allow you to view movies, browse, do online banking, take pictures and videos etc. So always keep
in mind that they are essentially mini computers.
And because they are so popular with all of us, they are major targets for hackers looking to steal our private data
and money.

APPLE iOS
If you have an iPhone today, you are, in general, more secure than on an Android. This is because:
• Apple controls all of its own hardware and software
o Apple centrally notifies and pushes all iOS/app updates to all iPhones. These devices upgrade as
soon as the latest versions come out. As a result, iPhone users are generally up to date.
• Apple has a closed app development environment, so it’s harder for anyone to create an app for iPhone
o Apple has a very strict vetting process around the apps in their App Store
• There is hardly any malware targeting the iPhone
o The iOS permissions are more restrictive, and also easier for you to understand. The app
will also ask for permissions as it needs the permission in real time, whichmeans you will
have a better understanding of why it’s asking

ANDROID
Android phones have incredible functionality, customization, and a more open development platform and App
Store than iPhones, which offers us many benefits. But as a result, they also have some insecurities of which you
must be aware:
• Google has little control over pushing software updates to non-Google devices
o So Google leaves it to third-party phone manufacturers to push Android updates to their
own customers
o Some phone manufacturers e.g. Samsung are now following Google’s lead, and
sending monthly updates to their phones. But many others either deliver them later
or don’t even do it at all.
• Android users can download and install an app from either the Google Play App Store, or from
any third-party Android app stores
o These third-party app stores have very little security checks if at all.
o They are many times open for anyone to upload any app of their choosing
o A recent ThreatPost article states that the Google Play Store is 9x Safer Than Third-
Party App Stores

Common things Android malware can do if downloaded:

o Ask for SMS permissions so that it can register you for paid services
o Send SMS messages to premium rate international numbers
o Spy on your calls and texts
o Steal your personal and sensitive data
o Steal your passwords
o Steal your banking 2-Factor Authentication SMS codes
Password Management

Please Stop re-using passwords!

It’s the leading cause of how people’s accounts are hijacked!
Password strength depends on how many guesses a hacker would need to guess it correctly.
So to make your password stronger, you need to maximize these three elements of your password:
1. Make it long
2. Make it complex
3. Make it random

By complex it means it contains special characters, numbers, capital letters etc.

By random, it means it isn’t easily predictable – for instance it shouldn’t contain whole words or names.
The length of your password is exponentially more important than how many special characters and numbers
you use!
So when choosing a password, it is more important to use a long passphrase, than a short complex password.
Literally adding one extra character makes it exponentially harder to crack!.

If possible, remember any passphrases for email, and financial institution websites in your own head. And for all
the rest of the hundreds of website passwords one has to manage, it’s recommended to use password manager.
FRT has it’s own password manager called Credman. Anyone who wants to use it can request access for it by turning
to your system administrator.

Encryption
Before considering any encryption solutions, make sure you do not go outside of company policy and install
unauthorized encryption software.
• All web sites and traffic, slowly but surely, are becoming encrypted on the Internet;
• 75% of the web is now HTTPS encrypted;
• Make sure to encrypt any emails that contain sensitive client/customer data, or personal data such
as Social Security numbers.
Social Media Scams
Because of all our connections with friends and family, as well as our ability to share new photos, links,
comments and stories with them, social networks are a very effective way of spreading malware.

And because there are over a billion people on social media websites, hackers and scammers go to where people
congregate.

Thus, because of this inherent trust you have with your social media friends, hackers and scammers will use
social engineering to trick you into viewing pictures and videos, and visiting links that will bring malware to your
systems (because you are more inclined to click on something that has been “shared”).

As a result, please make a habit of only following current news and events on reputable news sites, and avoid
reading news on social networking sites such as Facebook, unless the article is from a reputable news source as
well.

• Stop, and pause, when a friend sends a message, or writes on your “wall” with a catchy subject line,
to persuade you to click on the link, such as:
o OMG!
o WOW!
o YOU MUST SEE THIS!
o HEY, CHECK THIS OUT!
• Be extremely careful which social media groups and profiles you follow. Although
Facebook/Instagram/Twitter are deleting millions of fake accounts on a daily basis, new ones are still
created to share false or malicious content

• Be very suspicious if a message prompts you to update a program e.g. video codec, in order to view
content

• Be very suspicious if a message asks you to grant a third-party app access to your profile

• Think twice before accepting friend requests from people you don’t know. There are millions of bogus
social media accounts created every day, with fake profilepictures, which are being used to social engineer
people
Business Travel

First and foremost, always ask your system administrator to install any software needed to work securely whilst
traveling.
• Encrypt any sensitive data you have on your laptop with the help of your system administrator
• Ensure your phone/tablet is password protected
o Turn off all biometrics logins (authentication using parts of your body) when traveling, as
customs officers in foreign countries may unlock your phone using your face or fingerprint
• When traveling, only carry what you need remotely to do your assigned work
o As a rule, “don’t bring what you don’t need”
o If you have to travel with stored data, make sure its encrypted or backed up
• Do not connect to a public Wi-Fi, unless you’re using a VPN client:
o Especially for company work, banking, or e-commerce websites
o Only connect to well-known Wi-Fi networks
o Always check the network names to make sure there are no extra characters or typos
▪ Pro tip: Tether your laptop to your mobile phone’s hotspot. This bypasses open WiFi
connections, and instead uses your mobile cell serviceto connect to the Internet
o Also switch off your Wi-Fi and Bluetooth connections when not in use
 Cyber security incident escalation procedure

In cases when you think that accidentally or intentionally clicked on a link, opened a website, downloaded
a file that look suspicions and might contain malware, this must immediately be escalated to your line
manager and more importantly any of the system administrators.
If you feel that your PC/laptop might have been infected, try to avoid using it.
• If you are in the office, go to your line manager and then to the available system administrator
and explain what happened.
• If there isn’t any available system administrator, speak with the CTO, or ask your line manager to
speak to him.
• If your line manager is working from home, ask someone from your team to write to them.
• If your line manager is on holiday, turn to someone else senior from your team or to the manager
of your line manager.
• If you are working from home, pick up the phone and call your line manager directly via mobile
operator (not Teams).

The system administrator should take care of your machine while the line manager should make sure to
communicate to everyone in the team and to partners/clients (depending on employee’s role) that this
person’s machine might have been infected and not to open or download anything received from her/him
nor replying to any of their messages.
System administrators should keep a record of all cyber security incidents in a log.